Swomi Inc. — Confidential — Draft for Legal Review
Comprehensive Privacy Policy — Actor Model, Two Levels, and the Reasoning/Intelligence Firewall
Version: 1.3 (Draft for Legal Review) — supersedes v1.2
Effective Date: June 4, 2026 | Entity: Swomi Inc., incorporated in Canada
Contact: privacy@swomi.com | DPO: dpo@swomi.com
v1.3 aligns this policy to the canonical Swomi Model Specification v1.0. It adds the Actor model, sovereign profiles, the reasoning/intelligence firewall, group/shared-intelligence participation with a contribution retraction window, the crisis-support path, and an explicit statement of what Swomi does not do (no scraping, no sourcing of non-users). Items marked “verification pending” are asserted by design and are being independently tested.
When you use Swomi, you are trusting us with your information. We treat that as a responsibility and we work to keep you in control. This Privacy Policy explains what information we collect, why, and how you can access, manage, export, and delete it.
Swomi is an AI platform built around Actors — avatars, virtual actors, and autonomous agents. Some Actors are operated by or learn for a specific person; others are fully system-created. This distinction matters legally, and we explain it in Section 4. Throughout, “you” means the natural person behind a user-bonded Actor.
Swomi Inc. (“Swomi,” “we,” “us,” or “our”) is incorporated in Canada. We comply with PIPEDA, Quebec’s Law 25, the EU GDPR, the UK GDPR, Canada’s Anti-Spam Legislation (CASL), and the California Consumer Privacy Act (CCPA/CPRA) where applicable. If EU or UK law applies to you, see Section 12.
Before you log in, and even if you remain anonymous, our systems automatically analyze your connection to protect against bots, attackers, and abuse.
What we collect: hashed IP address, request rate and timing patterns, browser/device signals (including a hashed device fingerprint), and threat-classification scores.
Where it lives: a separate Security Zone (Zone A), architecturally isolated from your identity and personalization data.
Legal basis: Legitimate Interest (GDPR Art. 6(1)(f); PIPEDA Principle 4.3.4; Law 25 s.13). See our Legitimate Interest Assessment (Trust Center Doc #5).
Retention: 30 days for ordinary connections; up to 1 year where a connection is linked to a confirmed security threat.
Use limitation: Zone A data is never used for personalization, shared intelligence, model improvement, or advertising. It is firewalled from your profile.
Important: before you opt in, we do not build any behavioral or personalization profile of you. No communication-style, preference, topic, or psychological inference is computed or stored. The only processing before opt-in is the Zone A security processing above.
If you opt in when creating an Actor (or later in Privacy Controls), that Actor begins to build a sovereign profile to tailor how it works for you. “Sovereign” means you govern it: you can inspect, export, and revoke it at any time. It is bound to that specific Actor — if you operate several Actors, each has its own profile and its own consent.
What we collect after opt-in: communication style, interaction preferences, topic patterns, and — only with the separate just-in-time consent in §2.3 — inferred psychological attributes.
Where it lives: a separate Personalization Zone (Zone B), keyed by a pseudonymized identifier, not your name or email.
Legal basis: Explicit Consent (GDPR Art. 6(1)(a)).
Nature of data: this data is pseudonymized, not anonymous. The pseudonymized identifier can be re-linked to you (for example, to bring your profile to your account on consent), so it is personal data under GDPR and Law 25, and we treat it accordingly. The fact that an Actor is an avatar does not make it anonymous — an avatar is a pseudonym.
Our AI may detect that a conversation touches on psychological or emotional attributes (for example, resilience or one’s relationship with mortality).
Handling: we treat these as Special Category Data by default (GDPR Art. 9) and hold them in a separate, access-restricted store — not inside your ordinary profile.
Just-in-time consent: when such an inference is detected, a Sensitive Inference Alert asks for your explicit consent before the inference is stored. If you decline, it is discarded and never written.
Isolation: neither our security systems nor our personalization/shared-intelligence systems read from this store.
Use limitation: sensitive inferences are never used for shared intelligence, advertising, third-party sharing, or model improvement.
Account information: name, email, password.
Content you submit: messages, prompts, files, and documents.
Consent records: timestamped records of your choices, stored in Lens 2.
To be unambiguous: personalization is off by default. Until you grant Zone B consent, Swomi does not create a behavioral profile, does not score communication style or personality, does not infer topics or preferences, and does not generate or store psychological inferences. The product is fully usable in this default state.
Some commitments do not depend on your settings:
We do not scrape social media or the web to build or enrich profiles of you or anyone else.
We do not source, purchase, or assemble lists of people who are not Swomi users in order to contact them.
We do not send unsolicited messages built on data a person did not give us. Invitations are sent by users to people they already know and choose (see Section 11).
We do not sell your personal data, and we do not use it for targeted advertising.
| Purpose | Lawful Basis | Description |
| Service delivery (including your Actor performing its assigned tasks) | Contract (Art. 6(1)(b)) | Run your account; your bonded Actor does the job you asked of it. This covers doing the task — not building a durable profile, which requires consent. |
| Security (Zone A) | Legitimate Interest (Art. 6(1)(f)) | Detect bots, prevent attacks, protect system integrity. Firewalled from personalization. |
| Agent-to-agent operation (world / plumbing) | Legitimate Interest (Art. 6(1)(f)) | Allow Actors to interact so the service functions; the world/interaction graph is anonymized and is not used to profile members. |
| Personalization (sovereign profile, Zone B) | Explicit Consent (Art. 6(1)(a)) | Build and use a profile — only after opt-in — so your Actor tailors how it works for you. |
| Group participation & contribution | Explicit Consent (Art. 6(1)(a)) | Join groups you select; optionally contribute your Actor’s learning to a group’s shared intelligence (see §5.2). |
| Sensitive inferences | Explicit Consent (Art. 9(2)(a)) | Retain special-category inferences only after just-in-time consent. |
| Model improvement | Explicit Consent (Art. 6(1)(a)) | Improve Swomi’s own systems on pseudonymized/aggregated data — opt-in only, and separate from group contribution. |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | Comply with Canadian, EU, UK, and US law. |
We do not use your data for targeted advertising, and we do not sell your personal data.
Swomi processes data through Actors. There are two kinds, and the difference determines how the law applies:
User-bonded Actors are avatars or autonomous agents operated by, representing, or learning for a specific person. Data about them is your personal data, and all the protections in this policy apply.
System / autonomous agents are created and operated by Swomi to perform tasks, with no natural person behind them. They are not personal data. We treat an Actor as user-bonded by default, and only as a system agent where that can be positively established.
Swomi separates reasoning from intelligence:
The reasoning level is provided by our third-party reasoning engine (the underlying AI model). It thinks about your current request and then forgets it. It acts as our processor and does not retain or train on your input.
The intelligence level is Swomi’s own system — your sovereign profile, group/shared intelligence, and persistent learning. This stays within Swomi.
A firewall sits between them. Your intelligence-level data (your profile, identifiers, device fingerprint, group memberships) is never sent to the reasoning engine; identifiers and linkage are stripped from what is sent; and the reasoning engine is contractually bound not to retain or train on it. This is what keeps the reasoning provider a processor rather than a recipient of your personal data. (Verification of the stripping is ongoing.)
Lens 1 (Behavioral): divided into Zone A (Security) and Zone B (Personalization). The two zones are architecturally isolated and do not share data.
Lens 2 (Identity): your name, email, account ID, and consent records.
The Bridge: links between Lens 1 and Lens 2 are independently gated. Zone A links to identity only when a security threat is confirmed (security-purpose-only); Zone B links to identity only where you have granted consent.
Your profile is never shared as a profile — sharing a profile would disclose you. What can be shared, with your separate consent, is intelligence: learned capability, abstracted from you, contributed to a group (see §5.2). Consistent with §2.5, no Zone B profile exists for you unless and until you opt in.
We ask for consent in context — at the moment each choice becomes real, not all at once on a form. Every consent is optional and default-OFF; you can use Swomi without granting any of them.
1. When you create an Actor — Personalization. We ask whether this Actor may learn you. You must answer, but the Actor is created and works either way; declining simply means it does not build a profile.
2. Creating a shared-intelligence profile. You may give your Actor a profile that can later participate in groups. This step is reversible — no data has been shared yet.
3. When you join a group — Participation. Asked per group; joining one group is not consent for another. You can leave a group at any time.
4. Contributing to a group’s shared intelligence. A separate, clearly-warned choice (see §5.2 for the retraction window).
Sensitive inferences. Asked just-in-time, at the moment of inference (§2.3).
A separate Model Improvement consent (default OFF) governs whether your pseudonymized/aggregated data helps improve Swomi’s own systems. It is distinct from group contribution.
Actors can participate in shared intelligences scoped to groups you select; a group becomes more capable than its members alone. What a group accumulates is capability, abstracted from its members — not a collection of member profiles, and no member can read another member’s contribution.
The contribution retraction window. When your Actor contributes its learning to a group, that contribution is held separately and remains retractable for 30 days. Within that window you can withdraw it and it is removed. After 30 days it is blended into the group’s collective intelligence and can no longer be individually withdrawn — at that point it has been irreversibly combined and is no longer identifiable to you. We tell you this clearly before you contribute.
You can always stop future contributions and leave a group; what you cannot do is reverse contributions already blended past the 30-day window.
You can revoke consent at any time in Settings > Privacy Controls.
Immediate effect: new processing stops instantly.
Zone B purge: your personalization profile is deleted within 30 days.
Embeddings & vector stores: where technically feasible, we purge your data within 30 days of an erasure request.
Group contribution: contributions still within the 30-day window are withdrawn; contributions already blended cannot be individually removed (documented technical limitation).
Model improvement: data already incorporated into improved systems cannot be selectively removed; no further data from you will be added, and we document the limitation and apply compensating measures.
Commitment: we do not intentionally collect special category data (race, religion, health, etc.).
Inferred data: where inferred, we treat it as Special Category under GDPR Art. 9 and store it separately, with restricted access.
Consent timing: explicit consent is obtained at the point of inference (Sensitive Inference Alert), before storage.
Isolation: neither our security nor our personalization/shared-intelligence systems read this store.
Group sensitivity: membership of a group whose subject implies special-category topics is itself treated as sensitive.
If our system detects that you may be in distress, it will respond with care in the moment and surface real support resources. This detection is transient: it shapes the immediate response only.
We do not store “at-risk” as a profile attribute.
We do not use distress detection for personalization, shared intelligence, model improvement, or advertising.
We do not route it to third parties without you.
| Data Category | Retention Period | Justification |
| Account Information | Account duration + 30 days | Service delivery; contract. |
| Chat History | Account duration (deletable anytime) | Service delivery; contract. |
| Zone A (Security) | 30 days; up to 1 year (confirmed threats) | System protection; legitimate interest. |
| Sovereign Profile (Zone B) | 30 days (default) or up to 5 years (opt-in) | Consent; storage limitation. |
| Zone B Embeddings | Purged within 30 days of erasure request | Consent + erasure right. |
| Group Contribution (pre-blend) | Retractable for 30 days, then blended (irreversible) | Consent; anonymization boundary. |
| Special-Category Store | Only with consent; separate, access-restricted | Art. 9 explicit consent. |
| Group Membership | Until you leave the group / account duration | Consent. |
| Model Improvement Data | Indefinite (aggregated/pseudonymized) | Consent (irreversible once incorporated). |
| Consent Records | Account duration + 7 years | Accountability; legal obligation. |
| Audit Logs | 7 years (hash-chained) | GDPR Art. 5(2); Law 25. |
Audit logs are hash-chained and immutable. If you request erasure, your identity is removed from the chain while cryptographic integrity is preserved.
We conduct a Legitimate Interest Balancing Test for security profiling (Zone A).
Necessity: automated attacks cannot be detected without analyzing connection patterns, including request rate/timing and a hashed device fingerprint.
Impact: minimal — no content scanning, short retention (extended only for confirmed threats), isolated storage.
Significant automated actions: where a security determination would significantly affect you (for example, restricting an account), you may request human review.
Right to object: you may object under GDPR Art. 21; we may retain minimal data to verify safety where your connection matches known attack patterns.
Document: the full test is in Trust Center > Doc #5 (Legitimate Interest Assessment).
Swomi is a Canadian company and data is primarily processed in Canada.
Reasoning engine: our third-party reasoning provider acts as a processor and receives only minimized, de-identified input under a data-processing agreement; it does not retain or train on it (see §4.2).
EU/UK transfers: protected by Standard Contractual Clauses (SCCs) and supplementary measures (encryption, access controls).
US transfers: sub-processors certified under the EU-U.S. Data Privacy Framework where applicable.
Sub-processors: include our cloud hosting provider, our vector-store provider, and our reasoning-engine provider. See the Sub-Processor List in the Trust Center.
You can exercise rights via the Data Rights Portal in your dashboard:
Access: download an archive of your data.
Rectification: correct inaccurate data.
Erasure: delete your account and profile (subject to the documented post-blend limitation in §5.2).
Portability: export data in a machine-readable format.
Objection: object to processing based on legitimate interest.
Withdraw consent: revoke personalization, participation, contribution, or model-improvement consent instantly.
SLA: we respond within 30 days (Canada/EU) or 45 days (California).
Swomi may help you invite people you already know and choose — for example, contacts you select. We do not generate or source lists of people for you to invite, we never contact a person you did not choose, and if an invited person does not join, we do not retain their data.
Automated decision-making (Art. 22): our personalization does not produce legal or similarly significant effects; for significant automated security determinations, and for autonomous-agent actions taken on your behalf, you have the right to human review.
EU AI Act: we align with Art. 5 (no prohibited manipulation/exploitation, with particular care for minors) and Art. 50 (transparency — you are told when you are interacting with an AI agent).
DPO: appointed for EU/UK data subjects (dpo@swomi.com).
PIA: completed for profiling and the Actor model; available in the Trust Center.
Profiling disclosure: proactive disclosure of automated processing.
CASL: we send commercial messages only with consent; invitations come from users to people they know (§11.1).
Minors: 14+ (Quebec), 13+ (Canada).
Services are not intended for children under 13 (16 in EU/UK, 14 in Quebec).
Because avatar and agent contexts can attract younger users, personalization, group participation, and sensitive-inference handling apply the strictest defaults for minors, and we do not profile minors for marketing.
Educational deployments include age-gating and parental-consent mechanisms.
We implement encryption (TLS 1.3 in transit, AES-256 at rest), role-based access control, MFA for administrative access, and hash-chained audit logs.
Trust Center documents:
Privacy Policy; Terms of Service; Acceptable Use Policy
PIA/DPIA Summary; Legitimate Interest Assessment (Doc #5); ROPA Summary
Sub-Processor List; Data Retention Schedule; Rights Fulfillment Runbook
Breach Protocol; Consent Management Log; AI Act Conformity; Data Transfer Impact Assessment; Data Governance Charter; Architecture Diagram
Contact: privacy@swomi.com | dpo@swomi.com
Updates: material changes are notified at least 30 days in advance.
Last Updated: June 4, 2026 | Version: 1.3 (Draft for Legal Review)